CVE-2025-53548: @clerk/backend Performs Insufficient Verification of Data Authenticity

July 9, 2025

Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.

References

github.com/advisories/GHSA-9mp4-77wg-rwx9
github.com/clerk/javascript
github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9
nvd.nist.gov/vuln/detail/CVE-2025-53548

Code Behaviors & Features

Detect and mitigate CVE-2025-53548 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →